This chapter highlights the major concepts of IOS Mobile IP configuration in a simple lab topology. It presents in detail the most important concepts in IOS Mobile IP configuration. We start out by using six routers to examine each component individually. Several alternatives requiring fewer routers are presented at the end of the chapter.

This chapter is from the book

This chapter is from the book

This chapter highlights the major concepts of IOS Mobile IP configuration in
a simple lab topology. It presents in detail the most important concepts in IOS
Mobile IP configuration. We start out by using six routers to examine each
component individually. Several alternatives requiring fewer routers are
presented at the end of the chapter. The idea here is to introduce Mobile IP
configuration in its simplest form. All of the solutions presented in upcoming
chapters are built on the information presented here. The topology presented
here was not created just for this example, but is used by the authors as a
baseline for most of their Mobile IP lab work.

Building the Baseline Topology

Figure 4-1 shows the basic topology, which is designed to demonstrate all the
basic functionality in clearly separated components. It consists of Mobile IP
entities—a single Home Agent, two Foreign Agents (FAs), and a Mobile
Node—and non-Mobile IP entities—a Correspondent Node (CN) and an
intermediate system (IS). Each of these devices is a router capable of running
IOS software, as shown in Table 4-1. Feature navigator on Cisco.com can ensure
that all features are available on the selected platform.

Table 4-1 Required IOS Software Versions

*If possible, IOS Release 12.3 or higher should be used in the Mobility
Agents—Home Agents and FAs—so that all the features covered in this
book are available.

Note that the Mobile Node in this topology is a "mobile router"
(see Chapter 7, "Metro Mobility: Cisco Mobile Networks"). Although the
mobile router is covered later in this book, it is used in this example to
provide a complete solution that is independent of a specific Mobile Node
client. The mobile router has essentially the same basic configuration
attributes as a simple Mobile Node and thus provides not only a Mobile Node
example but also a mobile router example for later reference.

Intermediate System Configuration

The IS shows the interaction between Mobile IP and traditional routing
protocols and, as such, has no Mobile IP–specific configuration. However,
inclusion of the ISs more accurately models real-world scenarios and allows
better understanding of a Mobile IP deployment. In Example 4-1, each interface
is assigned an IP address, and the Open Shortest Path First (OSPF) routing
protocol is configured for all interfaces.

Correspondent Node Configuration

The CN is used as a peer for traffic from the Mobile Node. Many Mobile IP
labs are built without a CN and IS; while this allows basic functionality
testing, it does not demonstrate real-world behavior. The use of a CN
demonstrates the routing infrastructure as well as the Mobile IP infrastructure,
and the interaction of the two. The CN needs only to be configured with an IP
address on the interface. Although the CN is a router in Example 4-2, it could
easily be replaced with a computer.

Example 4-2 CN Final Configuration

Home Agent Configuration

Home Agent configurations entail the following three basic tasks:

Enabling the Home Agent

Configuring the home networks

Configuring the Mobile Nodes that are supported by the Home Agent

We will step through the three tasks and introduce the IOS configuration
commands that are needed on the router. The configuration shown in this section
demonstrates the base configuration of the Home Agent. Later chapters introduce
more features, but keep in mind that you should always keep the configurations
as short as possible and enable only the necessary features.

The foremost task is to simply enable the Mobile IP functionality. Note that
regardless of which Mobile IP entity the router is functioning as, the Mobile IP
routing process needs to be configured as follows:

router mobile

When the Mobile IP process is running, one or more Mobility Agents can be
enabled. To configure this router as a Home Agent, use the following
command:

ip mobile home-agent

The next step is to configure the home networks and Mobile Nodes that are to
be supported by the Home Agent. IOS Mobile IP supports two types of home
networks, physical home networks and virtual home networks. Each Mobile Node
that is supported by a Home Agent must reside on one of these types of home
networks.

Physical Home Network Configuration

When a Home Agent supports physical home networks, it allows Mobile Nodes to
attach directly to their home network. The physical home networks are defined on
a Home Agent's physical interface. When a Mobile Node is attached to its
home network, all Mobile IP functionality is inactive for that Mobile Node, and
normal IP routing delivers traffic. When the Mobile Node is not attached to the
home network, the Home Agent uses proxy Address Resolution Protocol (ARP) to
divert traffic to the Mobile Node in its current location. Route propagation for
a physical home network is handled directly by interior routing protocols, just
as it would be for an interface with no Mobile Nodes. To use a physical home
network, simply assign the interface an IP address and ensure that it is not
shut down.

NOTE

When using physical home networks, if the interface is down, Mobile Nodes
cannot register with the Home Agent.

Virtual Home Network Configuration

A Home Agent also supports Mobile Nodes that reside on a virtual home
network. Virtual home networks are similar to loopback interfaces, but they are
Mobile IP specific. Similar to a loopback interface, a virtual network is always
up and not susceptible to physical failures, thereby ensuring higher
availability. Virtual networks only support nodes that never physically come
home. Virtual networks are expressed as a network number and mask. To define a
new virtual network on the Home Agent, use the following configuration command
with address as the network number and mask as the network
mask:

ip mobile virtual-network address mask

Unlike physical interfaces, however, routing information about virtual
networks can only be originated by the Home Agent when mobile routes are
redistributed into the interior gateway protocol. Redistribution of Mobile IP
routes only redistributes the virtual networks; it does not redistribute the
individual host routes that reach the Mobile Nodes. The section "Examining
the Routing Table," later in this chapter, shows how Mobile IP routes
appear in the routing table and how redistribution works.

NOTE

Redistribution allows routes from one routing domain to be translated
and injected into another routing domain. Use care when redistributing routes to
maintain a functional routing topology.

Specific configuration of redistribution varies from protocol to protocol,
but generally, it should be configured on the Home Agent as follows:

redistribute mobile

The next step is to configure Mobile Nodes to reside on a particular home
network.

Mobile Host Configuration

The essence of a Home Agent configuration centers around configuring the
Mobile Nodes that it supports and appears on one or more lines beginning with
the ip mobile host command. This command defines which Mobile
Nodes are allowed to register, which services they are allowed to use, and how
to authenticate them. (The security association itself is configured separately,
as described in the next section of this chapter.) The ip mobile
host command requires a Mobile Node or group of Mobile Nodes to be
defined and associated with a home network.

In the following example command, we consider a simple case—defining a
range of Mobile Nodes identified by their home address (192.168.100.10 through
192.168.100.20) and associating them with a virtual network (192.168.100.0 with
mask 255.255.255.0):

The Home Agent also needs to be configured with the Mobile-Home security
association for each Mobile Node. The security association can be configured
either in a AAA server or on the command line, as described in the examples of
the next section.

Security Association Configuration

The security association between the Home Agent and a Mobile Node is
mandatory; it is also the only one used in this chapter. A security context is
configured on the Home Agent one per line, and each line is usually associated
with one Mobile Node. (Remember a security association is made up of one or more
security contexts.) In some cases, several Mobile Nodes can share the same
security key, but this is generally not recommended. At a minimum, one Mobile
Node-Home Agent (MN-HA) security context is configured for each mobile host
entry, but the standard allows for far more. If multiple security contexts,
which are differentiated by using different security parameter index (SPI)
values, are configured for a single mobile host, the IOS mobile router
implementation will round-robin through all keys. In this case, each
Registration Request (RRQ) uses a different security context going from the
lowest to the highest SPI value and then starting over again. The Home Agent
always uses the same security context that was used in the RRQ by the Mobile
Node when the Mobile Node sends a Registration Reply (RRP).

NOTE

Configuration of security associations for IOS Mobile IP is always done from
the perspective of the agent that is to use that security association. For
example, the ip mobile secure foreign-agent... command configures an Home
Agent-FA security association on the Home Agent. If the same command were
configured on the Mobile Node, it would imply an MN-FA security association.

In the case of a router serving as both a Home Agent and FA, the
configuration of keys for Mobile Nodes is slightly different. Specifically, you
must be able to differentiate the Mobile Node-Foreign Agent (MN-FA) and MN-HA
keys in this hybrid case. Because IOS uses the host command to refer to
the Mobile Node in Home Agent configurations and the visitor command to refer to
the Mobile Node in FA configurations, the same is done for security
associations. Thus, the ip mobile secure host command configures the Home
Agent-Mobile Node (HA-MN) security association, while the ip mobile secure
visitor command configures the FA-MN security association.

As with all security context, the HA-MN security context must be indexed with
an SPI. The SPI in IOS is specified as a hexadecimal value. Finally, the key,
algorithm, and mode must be specified. You can specify keys as an ASCII value or
a hexadecimal value. To avoid errors, hexadecimal keys are recommended because
the use of ASCII keys is not standardized. A complete HA-MN security association
is as follows:

Home Agent Final Configuration

Example 4-3 shows the final configuration of a router serving as a Home
Agent. The Home Agent supports Mobile Nodes (192.168.100.10 through
192.168.100.20) residing on virtual network 192.168.100.0. The only Mobile Node
configured with a security association is 192.168.100.10, and thus, it is the
only Mobile Node allowed to register and roam.

Foreign Agent Configuration

The FA configuration used in this lab is simple and represents the most
common implementation. Complex FA configurations are typically only used in
mobile Internet service provider deployments of Mobile IP. A basic FA
configuration requires the definition of the Care-of Address (CoA) and
activation of roaming interfaces.

Recall that for any Mobile IP entity, the IOS Mobile IP process must be
started before any Mobile IP commands can be accepted on the router. Again, this
is accomplished with the router mobile command.

FA functionality is enabled with a single global statement that also
specifies the interface to be used as the CoA. In the following example command,
Ethernet interface 1/0 is configured with FA functionality:

ip mobile foreign-agent care-of Ethernet1/0

When the FA service has been enabled on the router, each interface that can
accept Mobile Nodes needs to be configured. The interface-level command is as
follows:

ip mobile foreign-service

Finally, because Mobile IP agent advertisements are part of Internet Control
Message Protocol (ICMP) Router Discovery Protocol (IRDP) advertisements, IRDP
must be configured. The default timers for IRDP are long and do not facilitate
timely handovers unless solicitation is used. In Example 4-4, the timers have
been lowered because no link state triggers exist. Three relevant values exist
for IRDP configuration: maxadvertinterval,
minadvertinterval, and holdtime. If the
min and max values are used together, a random value in
between the two is generated for each advertisement. The holdtime should
typically be three times the maximum to ensure that the agent is truly gone and
not just experiencing a brief packet loss. Configuration values for IRDP timers
are in seconds. Note that the advertisement timers can also be adjusted on the
Home Agent with similar IRDP commands. Unless specified through configuration
commands, the default IRDP values are a maximum interval of 5 minutes and a
holdtime of 15 minutes.

Examples 4-4 and 4-5 show the configuration of routers serving as FAs. In
Example 4-4, the FA allows Mobile Nodes to roam on interface E1/0 with
FA–Care-of Agent (FA-CoA) 192.168.5.1. In Example 4-5, the FA allows
Mobile Nodes to roam on interface E1/0 with FA-CoA 192.168.6.1. In both
examples, the IRDP agent advertisement timers are adjusted.

Mobile Node Configuration

In this chapter, the Mobile Node is an IOS router running the IOS Mobile
Networks feature. For this example, only a small subset of the IOS Mobile
Networks features is used; full coverage is available in Chapter 7. The Mobile
IP client used in IOS Mobile Networks is built on the same standard as a Mobile
IP client for a PC or personal digital assistant (PDA) and, thus, requires all
the same basic configura-tion attributes. In general, each Mobile Node must be
configured with its identification, Home Agent's IP address, and a security
association shared with the Home Agent.

IOS Mobile Networks uses a static home address for identification that needs
to be configured on an interface before it can be used by the Mobile IP client.
You should configure the home address on a loopback interface so that the home
address is always up. The home address is a host address and, as such, needs to
be configured with a /32 mask. (If the loopback does not have a host mask,
traffic for other nodes on the Mobile Node's home network cannot follow the
default route, but is routed to the loopback and get dropped.)

The real mask of the home network is configured with the ip mobile
router address command. One or more physical interfaces need to be specifically
configured as roaming interfaces. These interfaces also must be configured with
an IP address to enable IP traffic on that interface. Note that the IP address
does not need to be valid and routable. Addresses are commonly used from the
autoconf space, but you can pick any IP address.

As with all Mobile IP entities, the router mobile command is required
to enable the Mobile IP process on the mobile router. After enabling Mobile IP,
the Mobile IP client configuration is invoked with the ip mobile router command,
setting the router in mobile router configuration mode. In this mode, the home
address and home network subnet mask are configured with the address subcommand,
and the Home Agent address is configured with the home-agent sub-command, as
shown in the following example:

Recall that the security association is configured from the perspective of
the Mobile IP entity on which the command is invoked, that is, this line is
configuring the MN-HA security association.

Example 4-6 shows a mobile router configuration with a home address of
192.168.100.10 and a Home Agent address of 192.168.1.2. Note that the home
address is configured on the loopback interface, and interface E0/0 is
configured as the roaming interface.